Marinade.Finance is non-custodial liquid staking protocol on Solana, with a TVL of $1 billion at the time of writing. People stake their tokens using automated staking strategies and receive “staked SOL” tokens (mSOL) that they can use in DeFi or unstake at any time to swap back to SOL.
If you want to learn more about Marinade.Finance. Please visit the official Marinade’s documentation here.
Our core audit methodology consists of:
- Technical specification/documentation – a brief overview of the system is requested from the client and the scope of the audit is defined.
- Manual code review – the code is checked line by line for common vulnerabilities, code duplication, best practices and the code architecture is reviewed.
- Local deployment + hacking – the program is deployed locally and we try to attack the system and break it.
At the beginning we’ve defined the following main objectives of the audit at the start of the auditing process:
- Check the overall code quality.
- Make sure that nobody unauthorized can withdraw SOL or mSOL from the liquid pool.
- Verify that only Marinade itself can mint tokens.
- Check that only authorized entities can deploy the program to the Solana network.
Using our toolset and manual code review we’ve identified 4 low severity issues and 1 medium severity issue. None of the issues required immediate action.
Marinades team was helpful and cooperative throughout the auditing process. All imperfections in documentation and in commit culture were resolved quickly.